1. Field
The present invention relates generally to computer security and, more specifically, to using virtualization in processor architectures to deter and detect usage of rootkits.
2. Description
A battle is taking place between attackers and defenders of computer systems. An attacker who manages to compromise a computer system seeks to carry out malicious activities on that system while remaining invisible to defenders. The attacker tries to monitor, intercept, and/or modify the state and actions of software on the system. At the same time, defenders actively search for attackers by looking for signs of system compromise or malicious activities.
Some attackers use a “rootkit” to attack a computer system. A rootkit is a set of small and useful computer programs that allow a permanent and undetectable presence on a computer system. A rootkit seeks to maintain access to “root,” the most powerful user on a computer system. Rootkits are often disguised as device drivers. Rootkits use many tricks and techniques to hide code and data on a system, and may also include methods for remote access and eavesdropping (such as sniffing network packets, keystroke sniffing, capturing passwords and decrypted files, and so on). Rootkits often work by modifying legitimate code via patching, “Easter eggs” and back doors, covert installation of spyware, or source code modification techniques. Some rootkits operate in user mode on a personal computer (PC) system, while other rootkits operate in kernel mode. Well written kernel mode rootkits are especially difficult to detect since they run at the highest processor privilege level.
In response, intrusion detection software seeks to detect rootkits installed on a computer system through various techniques. However, it is difficult for current approaches in intrusion detection software to stay ahead of the rapidly evolving threats of the attackers. New system-wide advances are needed.